Keystone OIDC JWKS fix

JWT failed to validate on auth-oidc endpoint used by openstack cli
with "could not find key with kid: XX" error. To fix this we need
to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

Missing "ServerName" directive from vhost config causes redirection
to fail in some cases when external tls is enabled.

  - added "keystone_federation_oidc_jwks_uri" variable
  - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
  - added "ServerName" to keystone vhost config
  - jinja templating additional whitespace trimmed to
    correct end result indentation and empty newlines

Closes-bug: 1990375
Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb
This commit is contained in:
Jakub Darmach 2022-09-21 14:36:53 +02:00
parent 81d4d26279
commit 9892976119
No known key found for this signature in database
GPG Key ID: A234FE88F409DEE5
4 changed files with 26 additions and 2 deletions

View File

@ -220,6 +220,7 @@ keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_conf
keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keystone/federation/oidc/metadata"
keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
keystone_federation_oidc_jwks_uri: ""
# These variables are used to define multiple trusted Horizon dashboards.
# keystone_trusted_dashboards: ['<https://dashboardServerOne/auth/websso/>', '<https://dashboardServerTwo/auth/websso/>', '<https://dashboardServerN/auth/websso/>']

View File

@ -39,6 +39,11 @@ LogLevel info
<VirtualHost *:{{ keystone_public_listen_port }}>
{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#}
{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#}
{% if kolla_enable_tls_external | bool %}
ServerName {{ keystone_public_url }}
{% endif %}
WSGIDaemonProcess keystone-public processes={{ keystone_api_workers }} threads=1 user=keystone group=keystone display-name=keystone-public
WSGIProcessGroup keystone-public
WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public
@ -55,7 +60,7 @@ LogLevel info
SSLEngine on
SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
{% endif %}
{% endif -%}
{% if keystone_enable_federation_openid %}
OIDCClaimPrefix "OIDC-"
@ -63,6 +68,9 @@ LogLevel info
OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
OIDCScope "{{ keystone_federation_oidc_scopes }}"
OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
{% if keystone_federation_oidc_jwks_uri | length > 0 %}
OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }}
{% endif %}
{% if keystone_federation_openid_certificate_key_ids | length > 0 %}
OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
{% endif %}
@ -96,7 +104,7 @@ LogLevel info
{# CLI / API authentication endpoint -#}
{% for idp in keystone_identity_providers %}
{% if idp.protocol == 'openid' %}
{% if idp.protocol == 'openid' -%}
<LocationMatch /v3/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/auth>
Require valid-user
{# Note(jasonanderson): `auth-openidc` is a special auth type that can -#}

View File

@ -88,6 +88,14 @@ below:
- name: "mappingId1"
file: "/full/qualified/path/to/mapping/json/file/to/mappingId1"
In some cases it's necessary to add JWKS (JSON Web Key Set) uri.
It is required for auth-openidc endpoint - which is
used by OpenStack command line client. Example config shown below:
.. code-block:: yaml
keystone_federation_oidc_jwks_uri: "https://<AUTH PROVIDER>/<ID>/discovery/v2.0/keys"
Identity providers configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fixes Keystone OIDC failing to validate JWT because of missing key
on Azure auth-oidc endpoint. Adds new variable containing JWKS uri
that delivers missing keys.
`LP#1990375 <https://bugs.launchpad.net/kolla-ansible/+bug/1990375>`__